janiussyafiq opened a new pull request, #13570: URL: https://github.com/apache/apisix/pull/13570
### Description This PR adds a new plugin, **`ai-lakera-guard`**, that integrates APISIX with the [Lakera Guard v2 `/guard` API](https://docs.lakera.ai/) to perform ML-based security scanning of LLM **requests** at the gateway — prompt injection / jailbreak, PII leakage, content-policy violations, and malicious / unknown links — so each backend LLM service no longer has to implement its own guardrails. This is **PR-1 (input guard MVP)** of a planned, independently shippable series (input → output → streaming → observability), modeled closely on `ai-aliyun-content-moderation`. #### How it works - Runs in the `access` phase at priority **1028**, just below `ai-proxy` (1040) and `ai-proxy-multi` (1041), so the AI context is already populated. The plugin **requires** one of those proxies and returns `500` otherwise. - Extracts the whole request conversation via `apisix.plugins.ai-protocols` (no role distinction) and sends it to Lakera `POST /v2/guard`. - On a flagged verdict it applies the configured `action`: - **`block`** (default) — returns a **provider-compatible** deny response (a valid chat-completion, or SSE for streaming requests) carrying `request_failure_message`, built via `proto.build_deny_response`, so client SDKs render the refusal as a normal completion. The status is `deny_code` (default `200`; set a 4xx to surface blocks as HTTP errors). - **`alert`** — log-only shadow mode; traffic passes through. - Lakera errors / timeouts are governed by `fail_open` (fail-**closed** by default). - `api_key` is secret-managed via `encrypt_fields` + native `$secret://` / `$env://` resolution. - `reveal_failure_categories` optionally appends the matched detectors to the deny message; every flagged verdict logs Lakera's full per-detector breakdown and `request_uuid`. #### Configuration `api_key` is the only required field. Others: `lakera_endpoint`, `project_id`, `direction` (`input` only in this PR), `action`, `fail_open`, `timeout`, `ssl_verify`, `reveal_failure_categories`, `deny_code`, `request_failure_message`. #### Files - Plugin: `apisix/plugins/ai-lakera-guard.lua`, `apisix/plugins/ai-lakera-guard/schema.lua`, `apisix/plugins/ai-lakera-guard/client.lua` - Registration: `apisix/cli/config.lua`, `conf/config.yaml.example` - Docs: `docs/en/latest/plugins/ai-lakera-guard.md`, `docs/en/latest/config.json` - Tests: `t/plugin/ai-lakera-guard.t`, `t/plugin/ai-lakera-guard-secrets.t`, fixtures under `t/fixtures/lakera/` #### Which issue(s) this PR fixes: Part of #13291 ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (new, opt-in plugin disabled by default; additive registration only) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
